EA6400 & EA6700 L2TP not work
Hi. On latest firmware (reset router 1 time) not working l2tp internet connection. On first firmware all good. Router get ip from 10.0.0.0 net and want to connect to 85.21.0.253, but this ip not pinging in diagnostic menu on latest firmware!!!
Sorry for my google english.
Hi kiPuxa,
Perform a hard reset of your Router. There are cases that the router needed to be reset after performing firmware upgrade so that if ever there were settings that were corrupted, it will be fixed by restoring the settings back to factory defaults. If the problem still persist, open the ports for L2TP on the router.
TCP - 1701, 1723, 443
UDP - 500
Goodluck....
Similar Messages
-
L2TP VPN connection not working under 10.6.3
Hi everyone.
I need to connect to a VPN with L2TP/IPSec.
The connection works fine if I boot into Bootcamp (win7).
But if I boot into 10.6.3, it does not work.
any idea what the problem could be.
Settings are triple checked and copy pasted into their proper fields (like in win7). router settings are correct, otherwise it would not work in win7.
So it is a problem with osx.
The following is out of the ppp.log:
Thu Apr 22 19:14:03 2010 : L2TP connecting to server 'vpn.xxx.com' (x.x.x.x)...
Thu Apr 22 19:14:03 2010 : IPSec connection started
Thu Apr 22 19:14:03 2010 : IPSec phase 1 client started
Thu Apr 22 19:14:03 2010 : IPSec phase 1 server replied
Thu Apr 22 19:14:04 2010 : IPSec phase 2 started
Thu Apr 22 19:14:34 2010 : IPSec connection failed
the server is reachable, but something fails in phase 2.
in the system log, the entry is:
Apr 22 19:14:03 noname pppd[517]: pppd 2.4.2 (Apple version 412.0.10) started by x, uid x
Apr 22 19:14:03 noname pppd[517]: L2TP connecting to server 'vpn.xxx.com' (x.x.x.x)…
Apr 22 19:14:03 noname pppd[517]: IPSec connection started
Apr 22 19:14:03 noname racoon[518]: Connecting.
Apr 22 19:14:03 noname racoon[518]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Apr 22 19:14:03 noname racoon[518]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
Apr 22 19:14:03 noname racoon[518]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).
Apr 22 19:14:03 noname racoon[518]: IKE Packet: transmit success. (Information message).
Apr 22 19:14:03 noname racoon[518]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Apr 22 19:14:04 noname racoon[518]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Apr 22 19:14:04 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:07 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:08 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:10 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:10 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:13 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:13 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:16 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:16 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:19 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:19 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:22 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:22 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:25 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:26 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:28 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:28 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:31 noname racoon[518]: IKE Packet: transmit success. (Phase2 Retransmit).
Apr 22 19:14:31 noname racoon[518]: IKE Packet: receive success. (Information message).
Apr 22 19:14:34 noname pppd[517]: IPSec connection failed
Apr 22 19:14:34 noname racoon[518]: IKE Packet: transmit failed. (Information message).
Apr 22 19:14:34 noname racoon[518]: IKEv1 Information-Notice: transmit failed. (Delete ISAKMP-SA).
Apr 22 19:14:34 noname racoon[518]: Disconnecting. (Connection tried to negotiate for, 31.609591 seconds).
Apr 22 19:14:34 noname racoon[518]: IKE Packets Transmit Failure-Rate Statistic. (Failure-Rate = 7.143).
Apr 22 19:14:34 noname racoon[518]: IKE Information-Notice Transmit Failure-Rate Statistic. (Failure-Rate = 100.000).Hi
i have the same messages on 10.6.4 and with the sonic xx170:
28.06.10 11:39:04 racoon[489] IKE Packet: transmit success. (Phase2 Retransmit).
28.06.10 11:39:07 racoon[489] IKE Packet: transmit success. (Phase2 Retransmit).
28.06.10 11:39:08 racoon[489] IKE Packet: receive success. (Information message).
28.06.10 11:39:10 pppd[488] IPSec connection failed
28.06.10 11:39:10 racoon[489] IKE Packet: transmit success. (Information message).
28.06.10 11:39:10 racoon[489] IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
any ideas?
waiting on 10.6.5, 10.6.6 ....?
regards, Arthur -
L2TP Passthrough not working on WRT54GS
I have a VPN server behind my WRT54GS (firmware v7.2.06) which I have no problems connecting to via PPTP. I cannot however connect with L2TP. I am certain that an L2TP request is not getting past the router because the connection attempt doesn't even show up in the VPN logs on the server.
IPSec, PPTP ad L2TP Passthoughs are all enabled. I even setup port forwarding on 1701 UDP and 1723 TCP. Also have ISAKMP/IKE at port 500, IKE NAT on port 4500 (both UDP) setup to forward.
I would rather be using L2TP for higher security.
I do not see what I am doing wrong here. Any ideas?If you are sure that port forwarding rules are properly applied, change the MTU to 1300 and see if it works, if it does not work change the MTU to 1200 and cross check...
-
Apple TV gen 3 not working with Linksys EA6700
Hello, I have Apple TV 3 with 5.3 Firmware connecting to Linksys EA6700 is so far impossible. It has always worked with a Technicolour 582n. No problems. But with this Linksys EA6700 Smart router no result of connecting. This is wireless as well with Cable. It stays stuck on Activation as well Setting date and Time. Which results into only Computers and Settings. Been in contact with Linksys. They don't want to burn their fingers on it, so no solution. Before I was able to use it with Firmware 5.02 but now I have tried to restore this and it is not accepting this and gives a fault. Did a wireless restore, did a cable restore, did a micro usb restore. Nothing, nix, nada, horror, horror ! Why is it that Apple TV is NOT working with Linksys routers ? After so many updates from Apple still no inclusion. What is the problem ? Tried also to set DNS server to 8.8.8.8 Disconnected everything, on and off, you name it. It can't be that difficult is it ? Why can't we manually activate and set the time and date by hand ? Something is wrong here. Does Apple refuse to talk to Linksys about this or do they just hate Linksys routers ? Further Linksys EA6700 is working great with every other hardware. Easy installation. No problem with Switches, Computers, Laptops, Ipads, Iphones, Android, ................... But not with Apple TV !
Nobody ?
-
L2TP VPN not working over internet
Hello Mac Community,
It is pretty clear to me that even though I have forwarded the required ports for L2TP, that Mavericks and Server 3 break the L2TP VPN capabilites I was actively using in Mountain Lion.
I can connect locally, but when done from an external network via port forwarding, L2TP fails to connect. Before you query me on port forwarding and router make and model, let me assure you, I have been successfully doing L2TP VPN with Mountain Lion and Server 2.x.x with no issue. Pretty clear to me that Mavericks broke something.
Suggestions specific to the OS platform are appreciated! (The network is in good working order.)Hello there as well,
I've the same issue and I investigate the problem. The reason why it does not work is, that the racoon (IKE Daemon) does not accept connections on port 4500 (IKE for NAT-T) if the source port is random generated.
Since Mavericks and IOS7 the source port from the client is no longer 4500, this lead to this problem (except you have a old VPN connection already setup bevor you update to IOS7 on your Phone).
If you are in the same network like your server, the IKE NAT-T is not used. In this case the regular port 500 (IKE) is used, and this works as expected. At the moment we have to wait if the problem is fixed by Apple.
There are two possibilities, they can adjust the clients or the server configuration. However if you want to use VPN with OS X native methods, use PPTP. This is not affected but of course it provides no Layer 2 Tunneling.
Regards,
Daniel -
Cisco IPSEC VPN not working after upgrade to Mavericks
I have been using the Cisco IPSEC VPN for almost 2 years with no issues. When I upgraded to Mavericks this week it stopped working. When i tell it to connect it prompts for password and attempts to connect for about 30 seconds then comes back with the following message...
VPN Connection
The negotiation with the VPN server failed. Verify the server address and try reconnecting.
The address, group, shared secret, user and password are correct. Any help would be greatly appreiated.Hry, I'm not sure if this fixes the Cisco IPSec issue, but I can vouch for it fixing the L2TP issue that occurs after tha mavericks upgrade!
I’ve got L2TP VPN working in Mavericks 10.9 and Server App 3.0.0 / 3.0.1.
It really is quite a simple fix.
Obviously, the standard caveats apply: This is a temporary, unsupported, workaround, and only a suggested idea at that. Again, this workaround is NOT supported by Apple.
Proceed with this workaround on your own equipment at your own risk. And remember the golden rule: Always backup your data!
OK so here goes… copy and paste the following into termini ONE LINE AT A TIME!
cd /tmp
curl -sO http://c5mart.co/mavericks-vpn-fix/racoon.tar.gz
tar -xzvf racoon.tar.gz
rm racoon.tar.gz
sudo chown root:wheel racoon
sudo chmod 555 racoon
if [ ! -f /usr/sbin/racoon.mavericks ]; then sudo mv /usr/sbin/racoon /usr/sbin/racoon.mavericks; fi;
sudo mv racoon /usr/sbin/racoon
sudo killall racoon
This works fine for me and I'm running a OSX Server for my entire office.
…et voilà! -
VPN not working after Update from SLS to MLS
Hi folks,
last weekend I updated my Snow Leopard Server following the suggested procedure, installed first Mountain Lion and then OS X Server. Now I have a problem.
Setup:
- Macmini Server located in my private LAN, running SLS as a virtual machine (VMware)
- connected to the Internet via an AVM FritzBox 7270
For HTTP (80) and VPN (500, 1701 and 4500) the ports are forwarded to the virtual machine - everything was working well before the update (access to Website & VPN from both internal and external). The VPN connection is used either with an iPhoen or with my Macbook pro.
The website is still working like expected. VPN service is not working properly anymore. I can access it from internal, but not from external.
So, to make it clear, nothing but the server OS changed in the setup.
Any ideas? Changed ports from 10.6 to 10.8?
Thanks in advance,
Andre
(err, and YES, I have a snapshot of 10.6. - if I revert it's working again, but this can't be the solution)Hi all,
to point out the difference, this is what the logs say....
Connecting from internal, VPN success:
21.06.13 18:12:13,880
racoon[226]
IPSec Phase1 started (Initiated by peer).
21.06.13 18:12:13,882
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 1).
21.06.13 18:12:13,883
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 2).
21.06.13 18:12:13,921
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 3).
21.06.13 18:12:13,942
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 4).
21.06.13 18:12:13,969
racoon[226]
IKEv1 Phase1 AUTH: success. (Responder, Main-Mode Message 5).
21.06.13 18:12:13,969
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 5).
21.06.13 18:12:13,970
racoon[226]
IKEv1 Phase1 Responder: success. (Responder, Main-Mode).
21.06.13 18:12:13,970
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 6).
21.06.13 18:12:13,970
racoon[226]
IPSec Phase1 established (Initiated by peer).
21.06.13 18:12:14,881
racoon[226]
IPSec Phase2 started (Initiated by peer).
21.06.13 18:12:14,881
racoon[226]
IKE Packet: receive success. (Responder, Quick-Mode message 1).
21.06.13 18:12:14,881
racoon[226]
IKE Packet: transmit success. (Responder, Quick-Mode message 2).
21.06.13 18:12:14,885
racoon[226]
IKE Packet: receive success. (Responder, Quick-Mode message 3).
21.06.13 18:12:14,886
racoon[226]
IKEv1 Phase2 Responder: success. (Responder, Quick-Mode).
21.06.13 18:12:14,886
racoon[226]
IPSec Phase2 established (Initiated by peer).
21.06.13 18:12:14,890
vpnd[1210]
Incoming call... Address given to client = 192.168.0.203
21.06.13 18:12:14,918
pppd[1371]
pppd 2.4.2 (Apple version 596.13) started by root, uid 0
21.06.13 18:12:14,923
pppd[1371]
L2TP incoming call in progress from '192.168.0.117'...
21.06.13 18:12:14,931
pppd[1371]
L2TP connection established.
21.06.13 18:12:14,935
pppd[1371]
Connect: ppp1 <--> socket[34:18]
21.06.13 18:12:14,944
UserEventAgent[17]
Captive: [mySCCopyWiFiDevices:162] WiFi Device Name == NULL
21.06.13 18:12:15,036
pppd[1371]
CHAP peer authentication succeeded for <username>
21.06.13 18:12:15,042
pppd[1371]
DSAccessControl plugin: User '<username>' authorized for access
21.06.13 18:12:15,052
pppd[1371]
Unsupported protocol 0x8057 received
21.06.13 18:12:15,058
pppd[1256]
l2tp_wait_input: Address added. previous interface setting (name: en0, address: 192.168.0.103), current interface setting (name: ppp1, family: PPP, address: 192.168.0.103, subnet: 255.255.255.0, destination: 192.168.0.203).
21.06.13 18:12:15,058
pppd[1371]
local IP address 192.168.0.103
21.06.13 18:12:15,059
pppd[1371]
remote IP address 192.168.0.203
21.06.13 18:12:15,061
pppd[1371]
l2tp_wait_input: Address added. previous interface setting (name: en0, address: 192.168.0.103), current interface setting (name: ppp1, family: PPP, address: 192.168.0.103, subnet: 255.255.255.0, destination: 192.168.0.203).
21.06.13 18:12:15,068
configd[21]
network changed: v4(en0:192.168.0.103, ppp0, ppp1+:192.168.0.103) DNS* Proxy SMB
21.06.13 18:12:17,102
apsd[466]
Certificate not yet generated
21.06.13 18:12:18,103
apsd[466]
Certificate not yet generated
21.06.13 18:12:19,004
apsd[466]
Couldn't find cert in response dict
21.06.13 18:12:19,006
apsd[466]
Failed to get client cert on attempt 11, will retry in 900 seconds
21.06.13 18:12:19,066
racoon[226]
IKE Packet: transmit success. (Information message).
21.06.13 18:12:19,067
racoon[226]
IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
21.06.13 18:12:19,120
apsd[466]
Certificate not yet generated
21.06.13 18:12:21,802
pppd[1256]
l2tp_wait_input: Address deleted. previous interface setting (name: en0, address: 192.168.0.103), deleted interface setting (name: ppp1, family: PPP, address: 192.168.0.103, subnet: 255.255.255.0, destination: 192.168.0.203).
21.06.13 18:12:21,817
pppd[1371]
l2tp_wait_input: Address deleted. previous interface setting (name: en0, address: 192.168.0.103), deleted interface setting (name: ppp1, family: PPP, address: 192.168.0.103, subnet: 255.255.255.0, destination: 192.168.0.203).
21.06.13 18:12:21,822
configd[21]
network changed: v4(en0:192.168.0.103, ppp0, ppp1-:192.168.0.103) DNS* Proxy SMB
21.06.13 18:12:21,981
pppd[1371]
Fatal signal 6
21.06.13 18:12:21,982
racoon[226]
IKE Packet: receive success. (Information message).
21.06.13 18:12:22,011
vpnd[1210]
--> Client with address = 192.168.0.203 has hungup
21.06.13 18:12:22,022
UserEventAgent[17]
Captive: [mySCCopyWiFiDevices:162] WiFi Device Name == NULL
21.06.13 18:12:23,837
apsd[466]
Certificate not yet generated
21.06.13 18:12:23,839
apsd[466]
Certificate not yet generated
21.06.13 18:12:25,148
apsd[466]
Couldn't find cert in response dict
21.06.13 18:12:25,148
apsd[466]
Failed to get client cert on attempt 12, will retry in 900 seconds
21.06.13 18:12:25,845
apsd[466]
Certificate not yet generated
Connecting from external, VPN fail:
21.06.13 18:10:52,533
racoon[226]
Connecting.
21.06.13 18:10:52,533
racoon[226]
IPSec Phase1 started (Initiated by peer).
21.06.13 18:10:52,535
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 1).
21.06.13 18:10:52,536
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 2).
21.06.13 18:10:52,692
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 3).
21.06.13 18:10:52,713
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 4).
21.06.13 18:10:52,882
racoon[226]
IKEv1 Phase1 AUTH: success. (Responder, Main-Mode Message 5).
21.06.13 18:10:52,882
racoon[226]
IKE Packet: receive success. (Responder, Main-Mode message 5).
21.06.13 18:10:52,882
racoon[226]
IKEv1 Phase1 Responder: success. (Responder, Main-Mode).
21.06.13 18:10:52,883
racoon[226]
IKE Packet: transmit success. (Responder, Main-Mode message 6).
21.06.13 18:10:52,883
racoon[226]
IPSec Phase1 established (Initiated by peer).
21.06.13 18:10:53,412
racoon[226]
Connecting.
21.06.13 18:10:53,413
racoon[226]
IPSec Phase2 started (Initiated by peer).
21.06.13 18:10:53,413
racoon[226]
IKE Packet: receive success. (Responder, Quick-Mode message 1).
21.06.13 18:10:53,414
racoon[226]
IKE Packet: transmit success. (Responder, Quick-Mode message 2).
21.06.13 18:10:53,531
racoon[226]
IKE Packet: receive success. (Responder, Quick-Mode message 3).
21.06.13 18:10:53,532
racoon[226]
IKEv1 Phase2 Responder: success. (Responder, Quick-Mode).
21.06.13 18:10:53,532
racoon[226]
IPSec Phase2 established (Initiated by peer).
21.06.13 18:11:13,643
racoon[226]
IKE Packet: receive success. (Information message).
21.06.13 18:11:13,671
racoon[226]
IKE Packet: receive success. (Information message).
Hope you see more than me and can help... :-( -
ASA-5505 Site-to-Site Not Working
I am somewhat new to Cisco but to do have some experience. I am trying to connect two ASA 5505's together via site-to-site VPN. They are configured with public IPs and all other services are working. I have used the VPN wizard on both boxes successfully but the tunnels are not working. The two devices are on the Comcast network. Any help would be appreacited.
Site A: ASA 5505 w/50 User license
Site B: ASA 5505 w/10 User license
Site A Config:
ASA Version 8.2(5)
hostname *********************
enable password 6.De4e7UzES9wBPg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.10 Web_Server
name 10.0.6.0 Ghost_Flower_Inside
name 10.0.5.0 San_Mateo_Inside
name 10.0.5.100 Any_Connect_100
name 10.0.5.101 Any_Connect_101
name 10.0.5.102 Any_Connect_102
name 10.0.5.103 Any_Connect_103
name 10.0.5.104 Any_Connect_104
name 10.0.5.105 Any_Connect_105
name 10.0.5.106 Any_Connect_106
name 10.0.5.107 Any_Connect_107
name 10.0.5.108 Any_Connect_108
name 10.0.5.109 Any_Connect_109
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.5.201 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 173.10.XXX.XXX 255.255.255.252
interface Vlan12
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Any_Connect_DHCP
network-object host Any_Connect_100
network-object host Any_Connect_101
network-object host Any_Connect_102
network-object host Any_Connect_103
network-object host Any_Connect_104
network-object host Any_Connect_105
network-object host Any_Connect_106
network-object host Any_Connect_107
network-object host Any_Connect_108
network-object host Any_Connect_109
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_1_cryptomap extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group Any_Connect_DHCP any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool AnyConnectDHCPPool Any_Connect_100-10.0.5.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.100.2 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www Web_Server www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.10.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 10.1.10.0 255.255.255.0 outside
http San_Mateo_Inside 255.255.255.255 inside
http San_Mateo_Inside 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 173.12.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-sessiondb max-webvpn-session-limit 10
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.1.0 255.255.255.0 inside
ssh San_Mateo_Inside 255.255.255.0 inside
ssh 10.1.10.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.0.5.10-10.0.5.30 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 regex "Intel Mac OS X"
svc profiles CATS disk0:/cats.xml
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 75.75.75.75
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc profiles value CATS
username user1 password tTq7bIZ.C4x0j.qv encrypted privilege 15
username ********* password sPxon1E6hTszm7Ko encrypted privilege 15
tunnel-group 173.12.XXX.XXX type ipsec-l2l
tunnel-group 173.12.XXX.XXX ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1751532c3624a6c2eec3c1ae0c31fe03
: end
Site B:
ASA Version 8.2(5)
hostname ***************
enable password 6.De4e7UzES9wBPg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.10 Web_Server
name 10.0.6.0 Ghost_Flower_Inside
name 10.0.5.0 San_Mateo_Inside
name 10.0.5.100 Any_Connect_100
name 10.0.5.101 Any_Connect_101
name 10.0.5.102 Any_Connect_102
name 10.0.5.103 Any_Connect_103
name 10.0.5.104 Any_Connect_104
name 10.0.5.105 Any_Connect_105
name 10.0.5.106 Any_Connect_106
name 10.0.5.107 Any_Connect_107
name 10.0.5.108 Any_Connect_108
name 10.0.5.109 Any_Connect_109
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.5.201 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 173.10.XXX.XXX 255.255.255.252
interface Vlan12
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Any_Connect_DHCP
network-object host Any_Connect_100
network-object host Any_Connect_101
network-object host Any_Connect_102
network-object host Any_Connect_103
network-object host Any_Connect_104
network-object host Any_Connect_105
network-object host Any_Connect_106
network-object host Any_Connect_107
network-object host Any_Connect_108
network-object host Any_Connect_109
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_1_cryptomap extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group Any_Connect_DHCP any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool AnyConnectDHCPPool Any_Connect_100-10.0.5.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.100.2 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www Web_Server www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.10.242.182 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 10.1.10.0 255.255.255.0 outside
http San_Mateo_Inside 255.255.255.255 inside
http San_Mateo_Inside 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 173.12.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-sessiondb max-webvpn-session-limit 10
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.1.0 255.255.255.0 inside
ssh San_Mateo_Inside 255.255.255.0 inside
ssh 10.1.10.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.0.5.10-10.0.5.30 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 regex "Intel Mac OS X"
svc profiles CATS disk0:/cats.xml
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 75.75.75.75
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc profiles value CATS
username ************** password sPxon1E6hTszm7Ko encrypted privilege 15
tunnel-group 173.12.XXX.XXX type ipsec-l2l
tunnel-group 173.12.XXX.XXX ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1751532c3624a6c2eec3c1ae0c31fe03
: endHi Kevin,
Both the sides have IP address of 173.10.XXX.XXX on the respective Outside interfaces and you have configured the peers for 173.12.X.X.
Please ensure the correct IP addresses for VPN peers are configured , via the following command:
crypto map outside_map 1 set peer X.X.X.X
e.g. If you have 173.10.X.X on Site X and 173.12.X.X on Site Y , then
On Site X, peer would be
crypto map outside_map 1 set peer 173.12.X.X
and the tunnel-group will be
tunnel-group 173.12.XXX.XXX type ipsec-l2l
tunnel-group 173.12.XXX.XXX ipsec-attributes
pre-shared-key *****
On Site Y, peer would be
crypto map outside_map 1 set peer 173.10.X.X
and the tunnel-group will be
tunnel-group 173.10.XXX.XXX type ipsec-l2l
tunnel-group 173.10.XXX.XXX ipsec-attributes
pre-shared-key *****
Also , the nat exempt would be complimentary on each other i.e.
On Site X,
access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
On Site Y,
access-list inside_nat0_outbound extended permit ip Ghost_Flower_Inside 255.255.255.0 San_Mateo_Inside 255.255.255.0
Hope that helps.
Regards,
Dinesh Moudgil -
VPN not working after adding subinterface - ASA 5510
Hello,
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.
There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.
Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.
Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.
But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.
Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)
Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2)
TREV is the network of this location.
Company1,2,3 are remote locations.
: Saved
ASA Version 8.2(5)
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
name 192.168.100.0 TREV
name 192.168.200.0 COMPANY3
name XXXXXXXX Company1
name 192.168.1.0 Company2
name XXXXXXXXX GCT
name XXXXXXXX BMD
name 192.168.110.0 Wireless
name 192.168.201.0 COMPANY3-VPN
name 192.168.11.0 COMPANY2-VPN
name 192.168.101.0 TREV-VPN
interface Ethernet0/0
description Outside
nameif outside
security-level 0
ip address XXXXX 255.255.255.248
interface Ethernet0/1
description Inside
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/2
description Trunk Interface
no nameif
no security-level
no ip address
interface Ethernet0/2.2
description Wireless
vlan 110
nameif wlan
security-level 100
ip address 192.168.110.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.10
domain-name domain.lan
dns server-group COMPANY2
name-server 192.168.1.16
domain-name domain.local
dns server-group COMPANY3
name-server 192.168.200.1
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network VPN_Networks
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object TREV 255.255.255.0
network-object TREV-VPN 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object COMPANY2 255.255.255.0
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object Wireless 255.255.255.0
access-list INCOMING remark *** ICMP Erlauben ***
access-list INCOMING extended permit icmp any any echo-reply
access-list INCOMING extended permit icmp any any time-exceeded
access-list INCOMING extended permit icmp any any unreachable
access-list INCOMING extended permit icmp any any parameter-problem
access-list INCOMING extended permit icmp any any source-quench
access-list INCOMING extended permit icmp any any echo
access-list INCOMING remark *** Wartung Company1 ***
access-list INCOMING remark *** Wartung BMD ***
access-list INCOMING remark *** Mail ***
access-list ......
access-list Trev-nat0 remark *** NoNat ***
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list DefaultRAGroup_splitTunnelAcl standard permit TREV 255.255.255.0
access-list outside_1_cryptomap extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_debug extended permit tcp any host 192.168.100.5
access-list inside_debug extended permit tcp any TREV 255.255.255.0
access-list Wireless-nat0 extended permit ip Wireless 255.255.255.0 TREV 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu wlan 1500
ip local pool VPN-Pool 192.168.101.1-192.168.101.31 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 XXXXXXXXXXX
nat (inside) 0 access-list Trev-nat0
nat (inside) 2 192.168.100.25 255.255.255.255
nat (inside) 2 192.168.100.250 255.255.255.255
nat (inside) 1 TREV 255.255.255.0
nat (wlan) 0 access-list Wireless-nat0
static (inside,outside) tcp interface 444 192.168.100.10 444 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.10 https netmask 255.255.255.255
.... a lot of statics..............
static (inside,outside) tcp XXXXXXXXXX pop3 192.168.100.25 pop3 netmask 255.255.255.255
static (inside,outside) tcp XXXXXXXXXX 995 192.168.100.25 995 netmask 255.255.255.255
access-group INCOMING in interface outside
route outside 0.0.0.0 0.0.0.0 XXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.10
timeout 5
key *****
radius-common-pw *****
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (inside) host 192.168.100.10
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable 4430
http COMPANY2 255.255.255.0 management
http TREV 255.255.255.0 inside
http Company1 255.255.255.224 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_AES_128_SHA TRANS_ESP_AES_256_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 178.188.202.78
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 5
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh bit-Studio 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh TREV 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcprelay server 192.168.100.10 inside
dhcprelay enable wlan
dhcprelay setroute wlan
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
intercept-dhcp enable
group-policy IPsecVPN internal
group-policy IPsecVPN attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
username admin password XXXXXXXXXX encrypted privilege 15
username vpntest password XXXXXXXXX nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group XXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXX ipsec-attributes
pre-shared-key *****
tunnel-group IPsecVPN type remote-access
tunnel-group IPsecVPN general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy IPsecVPN
tunnel-group IPsecVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f2041a5902e945a130fe25fbb8e5d368
: endHi,
First I would go through all the NAT0/NAT Exempt rules you have for VPNs. They seem to contain useless lines where either destination or source network isnt correct.
Lets look at the NAT0 ACL you have line by line
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
The above access-list has the correct source network configured Yet it has its destination addresses configured with an "object-group" which contains your LAN network
You should probably remove the LAN network from the object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
To my understanding the above ACL line doesnt serve any purpose as the networks configured under VPN_Networks arent located behind your "inside" interface (Other than the one I'm asking to remove from the object-group)
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
The above ACL overlap with the very first ACL lines configurations and needlesly makes the configuration harder to read. It also contains the Wireless network which it shouldnt
I would suggest simplifying your NAT0 configurations for example in the following way (change the names if you want if youre going to try it out)
object-group network TREV-LAN
description Local networks
network-object 192.168.100.0 255.255.255.0
object-group network VPN-NETWORKS
description Remote networks
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list TREV-LAN-NAT0 remark NAT0 / NAT Exempt for VPN Connections
access-list TREV-LAN-NAT0 permit ip object-group TREV-LAN object-group VPN-NETWORKS
With the above configurations
You have all NAT0 with a single line of access-list configuration (not counting the remark line as it doesnt affect anything)
If there is changes in the VPN pools, VPN remote networks or LAN networks you can simply change them under the configured object-groups instead of touching the actual ACL. There might be situations where you should change the ACL from the above if there is some bigger changes to network
So as I said, I would start with changing the above NAT configurations and then test the VPN again. If it doesnt work we will have to check some other things out.
- Jouni -
ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working
I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network.
Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either. Any ideas what I could be missing in my configuration? I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
ASA Version 8.2(1)
hostname fw
domain-name net.com
enable password eYKAfQL1.ZSbcTXZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface Ethernet0/0
description Primary Outside (Internet)
speed 10
duplex full
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.240
ospf cost 10
interface Ethernet0/1
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
ospf cost 10
interface Ethernet0/2
description WLAN
nameif WLAN
security-level 100
ip address 192.168.108.240 255.255.255.0
ospf cost 10
interface Ethernet0/3
description Secondary Outside (Internet)
speed 100
duplex full
nameif WAN2
security-level 0
ip address 2.2.2.133 255.255.255.192
interface Management0/0
description LAN/STATE Failover Interface
time-range after_hours
periodic weekdays 7:00 to 23:00
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 8.8.8.8
name-server 206.191.0.210
name-server 4.2.2.1
name-server 4.2.2.2
domain-name net.com
access-list WAN2_access_in extended permit icmp any any echo-reply
access-list WAN2_access_in extended permit icmp any any time-exceeded
access-list WAN2_access_in extended permit icmp any any source-quench
access-list WAN2_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit icmp any any echo-reply
access-list WLAN_access_in extended permit icmp any any time-exceeded
access-list WLAN_access_in extended permit icmp any any source-quench
access-list WLAN_access_in extended permit icmp any any unreachable
access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
access-list WLAN_access_in extended permit ip any any
access-list time_based extended permit ip any any time-range after_hours
access-list split_tunnel standard permit host 206.191.0.210
access-list split_tunnel standard permit host 206.191.0.140
access-list split_tunnel standard permit host 207.181.101.4
access-list split_tunnel standard permit host 207.181.101.5
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
pager lines 20
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WLAN 1500
mtu WAN2 1500
ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface WAN2
failover
failover lan unit secondary
failover lan interface FO Management0/0
failover key *****
failover link FO Management0/0
failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any WLAN
icmp permit any WAN2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (WAN2) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (WLAN) 1 192.168.108.0 255.255.255.0
static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group WLAN_access_in in interface WLAN
access-group WAN2_access_in in interface WAN2
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.108.0 255.255.255.0 WLAN
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh scopy enable
ssh 2.2.2.132 255.255.255.255 outside
ssh 69.17.141.134 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.108.0 255.255.255.0 WLAN
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.108.11-192.168.108.239 WLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.100.100.128
ntp server 132.246.168.148
ntp server 128.100.56.135
tftp-server inside 192.168.1.100 /
webvpn
group-policy Wifi internal
group-policy Wifi attributes
wins-server none
dns-server value 206.191.0.210 206.191.0.140
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group Wifi type remote-access
tunnel-group Wifi general-attributes
address-pool DHCP
default-group-policy Wifi
tunnel-group Wifi ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.1.245 255.255.255.255 inside
asdm location 192.168.1.252 255.255.255.255 inside
asdm history enableHi,
I can't see any problems right away in the configuration.
I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
packet-tracer input outside tcp 1.1.1.1 12345 22
packet-tracer input outside icmp 1.1.1.1 8 0
Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
Also, have you made sure that there is no old translations active on the ASA?
You can use this command to view those
show xlate local 192.168.1.100
You can clear the xlates with
clear xlate local 192.168.1.100
- Jouni -
TS1559 WIFI solutions proposed by Apple are not working. Does oneone how to solve the WIFI problems?
Dear Apple.
I was really happy with my iphone4s, IOS 6.0, great product amazing quality and posibilities BUT.......
I updated from IOS 6.0 to 6.1.1. and the WIFI nightmare started.
I waited for a new update to fix the WIFI problems and I updated my iphone 4s from 6.1.1. to 6.1.2. in order to solve these problems related with WIFI connections.
But IOS 6.1.2. is even worst:
- WIFI is not working at all. So I cannot download apps greater than 50MB.
- Battery life is shorter than ever.
- 3G goes in and out every minute.
- When you operate the iphone4s you can realize that is hotter than before.
These problems are unnaceptable and inconsistent with a high quality standard product.
You can read a lot of blogs, I am not the only one.
Please give us a solution as soon as possible.
Best Regards
AICITELThank you for your support.
My router is a TL-WR740N, and I think it has only a 2.4-2.4835GHz antenna.
So it seems that I have to keep on trying.
I also tryed to rename the router, still nothing.
Thank you anyway.
FYI.
4 puertos LAN de 10/100Mbps
1 puerto WAN 10/100Mbps
Botón
Botón de configuración rápida de seguridad
Botón de reinicio
Suministro de Energía Externa
9VDC / 0.6A
Estándares Inalámbricos
IEEE 802.11n*, IEEE 802.11g, IEEE 802.11b
Antena
omnidireccional fijo de 5dBi
Dimensiones (Largo x Ancho x Alto)
6.9 x 4.6 x 1.3 in. (174 x 118 x 33 mm)
Frecuencia
2.4-2.4835GHz
Velocidad de Señal
11n: Hasta 150Mbps (dinámico)
11g: hasta 54Mbps (dinámico)
11b: hasta 11Mbps (dinámico)
EIRP
<20dBm(EIRP)
Sensibilidad de Recepción
130M: -68dBm@10% PER
108M: -68dBm@10% PER
54M: -68dBm@10% PER
11M: -85dBm@8% PER
6M: -88dBm@10% PER
1M: -90dBm@8% PER
Funciones Inalámbricas
Activar / Desactivar radio inalámbrica, WDS Bridge, WMM, estadísticas inalámbricas
Seguridad Inalámbrica
64/128/152-bit WEP / WPA / WPA2,WPA-PSK / WPA2-PSK
Tipo WAN
IP dinámica / IP estática / PPPoE /
PPTP (Acceso dual) / L2TP (Acceso dual) / BigPond
DHCP
Servidor, cliente, lista de cliente DHCP,
Reserva de dirección
Calidad de Servicio
WMM, Control de Ancho de Banda
Redireccionamiento de Puertos
servidor virtual, Port Triggering, UPnP, DMZ
DNS Dinámico
DynDns, Comexe, NO-IP
Puerto de Transferencia VPN
PPTP, L2TP, IPSec (ESP Head)
Control de Acceso
Control Parental, Control de Manejo Local, Lista de anfitriones, la Lista de acceso, manejo de reglas
Seguridad Firewall (cortafuegos)
DoS, SPI Firewall
Dirección IP Filtro / Filtro de dirección MAC / filtro de dominio
Conexiones de direcciones IP y MAC
Management
Control de acceso
Manejo Local
Manejo remoto
Certificación
CE, FCC, RoHS
Contenido del Paquete
TL-WR740N
1 fijo antenas omnidireccionales
Fuente de alimentación
CD de recursos
Guía de instalación rápida
Requisitos del Sistema
Microsoft ® Windows ® 98SE, NT, 2000, XP, Vista ™ o Windows 7, Mac ® OS, NetWare ®, UNIX ® o Linux.
Ambiente
Temperatura de funcionamiento: 0¿ ~ 40¿ (32¿ ~ 104¿)
Temperatura de almacenamiento: -40¿ ~ 70¿ (-40¿ ~ 158¿)
Humedad de funcionamiento: 10% ~ 90% sin condensación
Humedad de almacenamiento: 5% ~ 90% sin condensación -
Cisco 1841 as PPTP client Does not work
Dear All,
I have Cisco 1841 router running the below roles
1) SSL VPN Server
2) PPTP Server
3) Site to Site Connection with Sonicwall router
I want the router to be configured a pptp client to internet vpn server (so that i will get a fixed public ip )
Once i get this ip address i want to use this connection to accept in coming connection and forward ports to internal host,
I went through below
http://www.mreji.eu/content/cisco-router-pptp-client
https://supportforums.cisco.com/thread/2167562
But it does not work as i do not have the option for the below 2 commands in vpdn-group 2 section.(Please see section in blue)
protocol pptp
rotary-group 4
Please Advise and Help
Regards
Hasan Reza
My Current Config is as below
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.09 17:55:23 =~=~=~=~=~=~=~=~=~=~=~=
exit
Gateway#show run |
Building configuration...
Current configuration : 25109 bytes
! Last configuration change at 13:33:57 UTC Sun Jun 9 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Gateway
boot-start-marker
boot system flash c1841-advsecurityk9-mz.151-2.T1.bin
boot-end-marker
logging buffered 4096
no logging console
enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/
no aaa new-model
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.236.5.1 10.236.5.20
ip dhcp excluded-address 10.236.5.21 10.236.5.50
ip dhcp excluded-address 172.21.51.2 172.21.51.50
ip dhcp pool ContosoPool
network 10.236.5.0 255.255.255.0
default-router 10.236.5.254
dns-server 213.42.20.20 195.229.241.222
ip dhcp pool DMZ
network 172.21.51.0 255.255.255.0
dns-server 172.21.51.10
default-router 172.21.51.1
domain-name contoso.local
ip cef
ip domain name contoso.local
ip name-server 213.42.20.20
ip name-server 195.229.241.22
ip name-server 195.229.241.222
ip ddns update method dyndns
HTTP
add http://xxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxx:yyyyy@@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 1 0 0
multilink bundle-name authenticated
vpdn enable
vpdn-group 2
request-dialin
protocol l2tp
initiate-to ip 173.195.0.42
vpdn-group RAS-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
crypto pki token default removal timeout 0
crypto pki trustpoint TP.StartSSL.CA
enrollment terminal pem
revocation-check none
crypto pki trustpoint TP.StartSSL-vpn
enrollment terminal pem
usage ssl-server
serial-number none
fqdn ssl.spktelecom.com
ip-address none
revocation-check crl
rsakeypair RSA.StartSSL-vpn
crypto pki trustpoint TP-self-signed-1981248591
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1981248591
revocation-check none
rsakeypair TP-self-signed-1981248591
crypto pki trustpoint VMWare
enrollment terminal
revocation-check crl
crypto pki trustpoint OWA
enrollment terminal pem
revocation-check crl
crypto pki certificate chain TP.StartSSL.CA
certificate ca 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP.StartSSL-vpn
certificate 0936E1
(removed the certificate info for clarity)9
quit
certificate ca 18
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP-self-signed-1981248591
certificate self-signed 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain VMWare
certificate ca 008EDCE6DBCE6B
(removed the certificate info for clarity)
quit
crypto pki certificate chain OWA
(removed the certificate info for clarity)
license udi pid CISCO1841 sn FCZ122191TW
archive
log config
hidekeys
username admin privilege 15 password 7 1304131F02023B7B7977
username ali password 7 06070328
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 84000
crypto isakmp key admin_123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map mydyn 10
set transform-set strongsha
crypto map Dxb-Auh 1000 ipsec-isakmp dynamic XXXXXXXXXX
interface FastEthernet0/0
description Internal Network (Protected Interface)
ip address 10.236.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
interface Virtual-Template1
ip unnumbered Dialer1
peer default ip address dhcp-pool ContosoPool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 eap
interface Dialer1
ip ddns update hostname XXXXXXX.dyndns.org
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
ppp pap sent-username vermam password 7 13044E155E0913323B
crypto map Dxb-Auh
interface Dialer2
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 2
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2 callin
ppp eap refuse
ppp chap hostname hasanreza
ppp chap password 7 070E2541470726544541
interface Dialer995
no ip address
ip local pool webssl 10.236.6.10 10.236.6.30
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list nat interface Dialer1 overload
ip nat inside source static tcp 10.236.5.12 25 interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.21.51.0 255.255.255.0 10.236.5.253
ip access-list extended internal
permit ip any 10.236.5.0 0.0.0.255
ip access-list extended nat
deny ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
deny ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 any
ip access-list extended nonat
permit ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
ip access-list extended sslacl
ip access-list extended webvpn
permit tcp any any eq 443
logging esm config
access-list 101 permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway1
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint TP.StartSSL-vpn
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context webvpn
ssl authenticate verify all
url-list "Webservers"
heading "SimpleIT Technologies NBNS Servers"
url-text "Google" url-value "www.google.com"
url-text "Mainframe" url-value "10.236.5.2"
url-text "Mainframe2" url-value "https://10.236.5.2"
nbns-list "ContosoServer"
nbns-server 10.236.5.10
nbns-server 10.236.5.11
nbns-server 10.236.5.12
port-forward "PortForwarding"
local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"
policy group policy1
url-list "Webservers"
port-forward "PortForwarding"
nbns-list "ContosoServer"
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
svc address-pool "webssl"
svc default-domain "Contoso.Local"
svc keep-client-installed
svc split include 10.236.5.0 255.255.255.0
svc split include 10.236.6.0 255.255.255.0
svc split include 172.31.1.0 255.255.255.0
svc split include 172.21.51.0 255.255.255.0
svc dns-server primary 172.21.51.10
default-group-policy policy1
gateway gateway1
inservice
end
Gateway#Dear All,
I have Cisco 1841 router running the below roles
1) SSL VPN Server
2) PPTP Server
3) Site to Site Connection with Sonicwall router
I want the router to be configured a pptp client to internet vpn server (so that i will get a fixed public ip )
Once i get this ip address i want to use this connection to accept in coming connection and forward ports to internal host,
I went through below
http://www.mreji.eu/content/cisco-router-pptp-client
https://supportforums.cisco.com/thread/2167562
But it does not work as i do not have the option for the below 2 commands in vpdn-group 2 section.(Please see section in blue)
protocol pptp
rotary-group 4
Please Advise and Help
Regards
Hasan Reza
My Current Config is as below
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.09 17:55:23 =~=~=~=~=~=~=~=~=~=~=~=
exit
Gateway#show run |
Building configuration...
Current configuration : 25109 bytes
! Last configuration change at 13:33:57 UTC Sun Jun 9 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Gateway
boot-start-marker
boot system flash c1841-advsecurityk9-mz.151-2.T1.bin
boot-end-marker
logging buffered 4096
no logging console
enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/
no aaa new-model
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.236.5.1 10.236.5.20
ip dhcp excluded-address 10.236.5.21 10.236.5.50
ip dhcp excluded-address 172.21.51.2 172.21.51.50
ip dhcp pool ContosoPool
network 10.236.5.0 255.255.255.0
default-router 10.236.5.254
dns-server 213.42.20.20 195.229.241.222
ip dhcp pool DMZ
network 172.21.51.0 255.255.255.0
dns-server 172.21.51.10
default-router 172.21.51.1
domain-name contoso.local
ip cef
ip domain name contoso.local
ip name-server 213.42.20.20
ip name-server 195.229.241.22
ip name-server 195.229.241.222
ip ddns update method dyndns
HTTP
add http://xxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxx:yyyyy@@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 1 0 0
multilink bundle-name authenticated
vpdn enable
vpdn-group 2
request-dialin
protocol l2tp
initiate-to ip 173.195.0.42
vpdn-group RAS-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
crypto pki token default removal timeout 0
crypto pki trustpoint TP.StartSSL.CA
enrollment terminal pem
revocation-check none
crypto pki trustpoint TP.StartSSL-vpn
enrollment terminal pem
usage ssl-server
serial-number none
fqdn ssl.spktelecom.com
ip-address none
revocation-check crl
rsakeypair RSA.StartSSL-vpn
crypto pki trustpoint TP-self-signed-1981248591
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1981248591
revocation-check none
rsakeypair TP-self-signed-1981248591
crypto pki trustpoint VMWare
enrollment terminal
revocation-check crl
crypto pki trustpoint OWA
enrollment terminal pem
revocation-check crl
crypto pki certificate chain TP.StartSSL.CA
certificate ca 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP.StartSSL-vpn
certificate 0936E1
(removed the certificate info for clarity)9
quit
certificate ca 18
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP-self-signed-1981248591
certificate self-signed 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain VMWare
certificate ca 008EDCE6DBCE6B
(removed the certificate info for clarity)
quit
crypto pki certificate chain OWA
(removed the certificate info for clarity)
license udi pid CISCO1841 sn FCZ122191TW
archive
log config
hidekeys
username admin privilege 15 password 7 1304131F02023B7B7977
username ali password 7 06070328
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 84000
crypto isakmp key admin_123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map mydyn 10
set transform-set strongsha
crypto map Dxb-Auh 1000 ipsec-isakmp dynamic XXXXXXXXXX
interface FastEthernet0/0
description Internal Network (Protected Interface)
ip address 10.236.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
interface Virtual-Template1
ip unnumbered Dialer1
peer default ip address dhcp-pool ContosoPool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 eap
interface Dialer1
ip ddns update hostname XXXXXXX.dyndns.org
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
ppp pap sent-username vermam password 7 13044E155E0913323B
crypto map Dxb-Auh
interface Dialer2
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 2
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2 callin
ppp eap refuse
ppp chap hostname hasanreza
ppp chap password 7 070E2541470726544541
interface Dialer995
no ip address
ip local pool webssl 10.236.6.10 10.236.6.30
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list nat interface Dialer1 overload
ip nat inside source static tcp 10.236.5.12 25 interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.21.51.0 255.255.255.0 10.236.5.253
ip access-list extended internal
permit ip any 10.236.5.0 0.0.0.255
ip access-list extended nat
deny ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
deny ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 any
ip access-list extended nonat
permit ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
ip access-list extended sslacl
ip access-list extended webvpn
permit tcp any any eq 443
logging esm config
access-list 101 permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway1
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint TP.StartSSL-vpn
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context webvpn
ssl authenticate verify all
url-list "Webservers"
heading "SimpleIT Technologies NBNS Servers"
url-text "Google" url-value "www.google.com"
url-text "Mainframe" url-value "10.236.5.2"
url-text "Mainframe2" url-value "https://10.236.5.2"
nbns-list "ContosoServer"
nbns-server 10.236.5.10
nbns-server 10.236.5.11
nbns-server 10.236.5.12
port-forward "PortForwarding"
local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"
policy group policy1
url-list "Webservers"
port-forward "PortForwarding"
nbns-list "ContosoServer"
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
svc address-pool "webssl"
svc default-domain "Contoso.Local"
svc keep-client-installed
svc split include 10.236.5.0 255.255.255.0
svc split include 10.236.6.0 255.255.255.0
svc split include 172.31.1.0 255.255.255.0
svc split include 172.21.51.0 255.255.255.0
svc dns-server primary 172.21.51.10
default-group-policy policy1
gateway gateway1
inservice
end
Gateway# -
Hi
I have had a problem when trying to set up the vpn service on os x server. I use OS X Mountain Lion server. The problem is that when I set up the vpn service in the server app, it won't let me connect to the vpn using my public ip address or outside my network. It will work if I type in the IPV4 address of the server inside the network. It just won't work outside the network. I looked up the port number for OS X Server VPN and did the port-forwarding in the router. Unless i have the port wrong (which is doubt), why would this not be working. I am using L2TP to connect to the server but I have also tried PPTP and that did not work either. I think that the problem must be something with getting the vpn on the internet since it works perfectly fine inside the network.
Thanks for any help.
MichaelIf you have a port-mirroring switch (I use a Netgear GS105E), it is very handy.
This is the typical configuration for a VPN. Let us assume L2TP.
VPN Client (L2TP) -> WAN Router/Firewall (Outside) -> LAN Port Forwarding (inside) -> VPN Server (LNS = OS X server).
You may not be able decrypt packets, but you can see outer headers. If the WAN Router/Gateway has port mirroring functions, you can watch incoming packets at the WAN Interface. The Router/Gateway should just forward packets to the designated Port/IP.
If the packets make it past the Router/Gateway, the Server configuration should be checked. Temporarily, you can turn off the firewall and see if you can get to the OS X server. It will help in pinpointing where the issue might be. Shared secrets should also be checked.
If you are able to VPN from inside, it is a very strange configuration. Usually coming from inside to inside is not permitted.
If the clients and servers use the same intranet addresses, for example the client uses 192.168.x.x and the server is also on 192.168.x.x, you will run into issues. You may need to reserve address space for VPN clients. -
My server not Working use Hotspot Shield vpn what I do
Purchased Hotspot Shield vpn $9.99 per year but not Working what happent no suit with my server or someting wrong I have been Email Hotspot Shield support no answer
Hello,
Why are you handing out 192.185.2.1 through 192.185.2.10 in your VPN Addresses
Should this 192.168.0.XXX through 192.168.0.XXX and out of range on what the router is handing out?
Why don't you try making your Server 192.168.0.2 using your router as the gateway of 192.168.0.1
Set your router's DHCP scope 192.168.0.10 through 192.168.0.100
Set your VPN addresses for L2TP 192.168.0.101 through 192.168.0.149
Set your VPN addresses for PPTP 192.168.0.150 through 192.168.0.199
Thanks,
ebrind
Message was edited by: ebrind -
Not work tablet UI on Prestigio 5080 PRO tablet
I read that browser.ui.layout.tablet = "1" can fix this problem. But it not works. I can work only in pnone interface that is not good for my 8'' tablet.
Would it be possible for you to share the problematic pdf and OS information with us at [email protected] so that we may investigate?
Thanks,
Adobe Reader Team
Maybe you are looking for
-
Invoking a process when a file is placed in a directory
Hi All, invoking a BPEL process when file comes to a dir and write to DB in SOA 11g. Getting an exception when i'm placing the multiple file it is going into an ambiguity situation. Can anyone can help me on this if possible. Regards, CH
-
Will a hard shell case make my MBA run warmer?
I have a 2013 13 MBA, I am contemplating buying a moshi iglaze case but I warm hesitant because I dock my computer to a cinema display when I'm at home and not at work so I am worried about the case making the machine run hotter. Does anyone have exp
-
Hello All, We were trying to extract data from ORACLE sysetm. Source system and bw system have oracle database. We have successfully created source system at BW side and is able to connect to oracle source system. But when we try to see the tables (u
-
For no reason in particular, the speaker function on my iphone 4 has quit. I tried inserting and removing the headset jack a few times in case the phone thought they were plugged in. No result. After watching a video on youtube about using the pro
-
Printing issues i'm not able to change the print order it always prints back to front.
I have an HP Pavilion model p6112p. Operating System is Vista Home Premium 64-bit, with an HP Deskjet Printer Model 6980. The issue is I am unable to change the printing order of multiple page printing, they print from back to front on everything th